My name is Prachand and I am an SE on the Platforms Networking Team. My intent of this post is for it to be a quick reference guide for setting up secure wireless networking using Microsoft products. It describes how to create an infrastructure for authentication, authorization, and accounting for wireless connections using Microsoft RADIUS Server (IAS/NPS) and Windows clients. Before going into the details of how to create the protected 802.1x network, let’s take a minute to understand the components of 802.1x.

IEEE 802.1X is an IEEE Standard for port-based Network Access Control. It provides authenticated network access to wired Ethernet networks and wireless 802.11 networks. It offers the capability to permit or deny network connectivity, control VLAN access and apply traffic policy, based on user or machine identity. It enhances security and deployment by providing support for centralized user identification, authentication, dynamic key management, and accounting.

PEAP (Protected EAP) is an authentication method that uses TLS to enhance the security of other EAP authentication protocols.

When selecting the authentication mechanism, you need to balance between the levels of security required with the effort required for deployment. For the highest level of security, choose PEAP with certificates (EAP-TLS). For the greatest ease of deployment, choose PEAP with passwords (EAP-MS-CHAP v2).

Now let’s move on to the main topic. In order to create an infrastructure for authentication, authorization, and accounting for protected wireless connections for an organization using Windows wireless clients, the following steps need to be completed:

Regardless of which authentication method used for wireless connections, computer certificates must be installed on the NPS servers.

For PEAP-MS-CHAP v2, there is no need to deploy a certificate infrastructure to issue computer and user certificates for each wireless client computer. Instead, you can obtain individual certificates for each NPS server from a commercial CA and install them on the NPS servers.

For computer authentication with EAP-TLS or PEAP-TLS, a computer certificate, also known as a machine certificate, must be installed on each wireless client computer. For user authentication with EAP-TLS or PEAP-TLS after a network connection is made and the user logs on, you must use a user certificate on the wireless client computer.

In order to create Certificate Infrastructure, follow the below steps:

Once the Certificate Infrastructure is ready, you need to configure AD accounts and groups.To configure Active Directory user and computer accounts and groups for wireless access, do the following:

· Create a USER account for all users who would make wireless connections.

· Create a COMPUTER account for all computers that would use wireless connections.

· Set the remote access permission on user and computer accounts to the appropriate setting (either Allow access or Control access through Remote Access Policy) as shown below:

Step 3: Configuring the Wireless Access Point

The next step is to deploy the wireless Access Point. The AP needs to be configured to support WPA, WPA2, or WEP encryption with 802.1X authentication. Additionally, configure RADIUS settings on your wireless AP switches with the following:

· The NPS server requires a certificate. You can use the RAS and IAS certificate template to create a new template to use for NPS servers. The link below discusses configuring this template and enabling it for auto-enrollment:

If you are using EAP-TLS or PEAP-TLS, you need to install computer and user certificates on wireless clients. If the domain is configured for autoenrollment of computer certificates, each computer that is a member of the domain requests a computer certificate when Computer Configuration Group Policy is refreshed. To force a refresh of Computer Configuration Group Policy for a computer running Windows 7, Windows XP, or Windows Server 2003, restart the computer or type gpupdate /target:computer at a command prompt.

For user authentication with EAP-TLS, a locally installed user certificate or a smart card must be used. The locally installed user certificate must be obtained through autoenrollment, Web enrollment, by requesting the certificate using the Certificates snap-in, by importing a certificate file, or by running a CAPICOM program or script.

If you have configured autoenrollment of user certificates, then the wireless user must update their User Configuration Group Policy to obtain a user certificate. If you are not using autoenrollment for user certificates, use one of the following procedures to obtain a user certificate:

If you have configured settings for the Wireless Network (IEEE 802.11) Policies Group Policy extension and specified the authentication type wireless network, no other configuration is needed for wireless.

If you are not using GPO, you can manually configure the authentication on a wireless client running Windows 7, using the following steps:

2. Click the Security tab. In Security type, select 802.1x, WPA-Enterprise, or WPA2-Enterprise. In Choose a network authentication method, from the drop down and then click Settings.

3. If using EAP-TLS or PEAP-TLS under the Smart Card or other Certificate Properties dialog box, select Use a certificate on this computer to use a registry-based user certificate or Use my smart card for a smart card-based user certificate.

If you want to validate the computer certificate of the NPS server, select Validate server certificate (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the TLS authentication, select Connect to these servers and type the names.

4. Click OK twice.

To summarize, for EAP-TLS or PEAP-TLS, you need to have a certificate infrastructure to issue computer certificates to your NPS servers and both computer and user certificates to your wireless client computers. For PEAP-MS-CHAP v2, you only need to install computer certificates on the NPS servers, provided that the appropriate root CA certificates are already installed on the wireless clients. You will need to manage Active Directory users and groups for wireless access, configure NPS servers as RADIUS servers to the wireless APs, and configure the wireless APs as RADIUS clients to the IAS servers.

All these links point to obsolete Windows Server 2003 Certificate Services guides.

This article was published on the 30th May 2012, so what is the reason of recommending guidelines based on 9 year old technology, if Windows Server 2008 and Windows Server 2008 R2-based

Certification Authority is also available, and the NPS itself is also a Windows Server 2008+ based technology. It does not make sense to use the most recent version of the Radius-role of Microsoft (the

NPS server), while referring to the CA, based on Windows Server 2003.

The recommendation in installing computer and user certificates are also misleading! The Windows Server 2008/2008 R2 guides (I even specify the document title, you can look for it: Windows Server

I read a lot of the articles on this blog, and most of them are a) professionally written, b) accurate, and c) also provide end-to-end solution. In end-to-end I mean it guides me through all the step from the beginning till the desired result is achieved, and they are made in clear descriptive way. But they are definitely not written in the form of just throwing you a list outdated technet articles, so you should "..go on and read them, I am not gonna waste my time here to explain all these things to you!"

However, this particular post is like stealing (or "borrowing" if you say I am too harsh here) from unrelated technet articles, without proper explanations why each step or technet link is needed in the process of achieving secure 802.1x wireless infrastructure.

In order to justify my statement, let me highlight the issues in this article:

I know how PKI works, so its clear to me that the Root CA is a must here, out of question. But what is the relation between the computer and user certificate in this list? "AND" or "OR"? The bottom part of the article talks about autoenrollment of domain-based computer certificates and certificates issued to the user. However, the PEAP-Tls CAN work with either user or computer certificate, it does not enforce both. This is not indicated in this article properly. The referenced NPS configuration Technet article in "Step 4: Configuring the NPS Server" does not specify the explicit use of user or computer certificate, so why should we say at the beginning that we must have both?

Also, "Root CA certificates for issuers of NPS server computer certificates" is an incomplete statement, as the "Root CA certificates for issuers of wireless client computer and user certificates" must also be present on the wireless client, otherwise the client wont trust the user/computer certificate.

Next issue (still in the same table): Certificates on NPS Server –> Computer certificates: this is incorrect terminology! On the NPS server actually a "Server"-type certificate must be present. Sounds like a minor difference, right? Its not! A server certificate in the Microsoft terminology is a certificate, that has the "Server Authentication" Enhanced Key Usage EKU, opposed to what the Microsoft terminology calls as "computer" certificate, which is a certificate with the "Client Authentication" EKU. Significant difference!

Next issue: PEAP-MS-CHAP v2 -> Certificates on the NPS server -> only the computer certificate is listed here (which is the incorrect terminology, as explained above). But what about the Root CA cert that issued the "server" certificate for NPS? It must be listed in the table as well, thats out of question.

"If you are using EAP-TLS or PEAP-TLS, you need to install computer and user certificates on wireless clients. "

No, I dont need! I can, but I dont need! There was no explanation at the beginning of this article, if computer OR user OR computer+user authentication is the desired result, so just plainly stating that you NEED both, in pure unprofessionalism.

I'm finishing my review here, the article basically is not that bad, but we are talking here about PKI, certificates, NPS, all kind of stuff that does not allow any kind of chance for misunderstanding. I would recommend to pull this article back, and fix it properly!

"Create a USER account for all users who would make wireless connections", "Create a COMPUTER account for all computers that would use wireless connections"

"Set the remote access permission on user and computer accounts to the appropriate setting (either Allow access or Control access through Remote Access Policy) as shown below"

Why do I need to create a computer account and A user account? The whole article does not say a word, about what I need this particular computer and user account for.

Why do I need to set the Dial-in parameter? The whole article does not say a word, why do I need to configure this attribute for the computer and user account. The default NPS 802.1x wired/wireless connection wizard sets

the rule to "Grant" and enables the option "Ignore user dial-in properties". So it seems to me the account dial-in config will be ignored in anyway, why to configure then?

At a later stage, there is again a bunch of technet articles thrown into my face, how to configure and install NPS. However in those technet URLs, they set up network policies based on GROUPS and not accounts. Yet another

sign, that if you refer to the work of others, at least read them before using them in your own article.

Next issue: Step 4: Configuring the NPS Server -> The NPS server requires a certificate. You can use the RAS and IAS certificate template to create a new template to use for NPS servers. The link below discusses configuring this template and enabling it for auto-enrollment: PS Server Certificate: Configure the Template and Autoenrollment

This URL goes to the certificate template duplication solution, and not the Windows 2003 CA solution, so again: there is no cohesion between the instructions for computer/user certificate autoenrollment, and NPS server certificate autoenrollment. If you "borrow" similar topics from others, borrow from the same guy, so similar topics borrowed will all look the same.